I've just completed an upgrade from 4.0.2.1 to 4.5.2 but I still have a question.
One of the steps to perform is to change the passwords from "Hashed" to "Clear" in web.config so you can actually log in. However, how do you change it back to "Hashed" and get all of your passwords hashed?
I presume you have to do this step so you can actually have the full upgraded version working as it is supposed to? Or is it optional to have passwords hashed or clear text?
If you know the hash function used by Umbraco it is easy as pie to just hash the passwords that are stored plain text in the DB and replace them with the hashed version. Then change the config files and you're ready to go...
I belive this is the relevant code (Member.cs):
publicstring EncodePassword(string password, MembershipPasswordFormat pwFormat)
{
string encodedPassword = password;
switch (pwFormat)
{
case MembershipPasswordFormat.Clear:
break;
case MembershipPasswordFormat.Encrypted:
encodedPassword =
Convert.ToBase64String(EncryptPassword(Encoding.Unicode.GetBytes(password)));
break;
case MembershipPasswordFormat.Hashed:
HMACSHA1 hash = new HMACSHA1();
hash.Key = Encoding.Unicode.GetBytes(password);
encodedPassword =
Convert.ToBase64String(hash.ComputeHash(Encoding.Unicode.GetBytes(password)));
break;
}
return encodedPassword;
}
Which would imply that SHA1 is used for hashing. If that is the case it should be simple enough to write a small helper util that would read all values for the passwords, hash them and write them back to the DB.
Basically keep the code for the last case and run... I do not have sufficient time now but maybe someone else here could set you up?
I'm bit surprised by your statement that you need to change passwords to upgrade from a v4.0.2.1 to a v4.5.2 umbraco instance. I've been doing 2 upgrades over the last week, and I don't do anything with changing the way passwords are stored.
So, if you could find that reference, I'd be glad to read a bit more about it.
The passwords in my database were initially in clear text, however in version 4.5.2 the web.config has these passwords stored as "Hashed" - therefore after doing the upgrade I had to change the web.config back to "Clear" in order to log into the back end of Umbraco.
Like Garry said... it seems the default setting in web.config changed from "Clear" to "Plain".
Of course, this can lead to surprises when upgrading. I also had an issue like that some days ago. Obviously, when these defaults change, users might ask themselves how to change over their own settings to this new default. I for one was faced with the fact that I saw the plain text passwords of my users in the DB when trying to solve an issue, knowing that many users will use the same passwords for different accounts this might create 'ethical' issues. A way to hash all passwords in the DB might therefore be useful.
Wrote a simple console app to generate the hashes. I only have 50 or so users so it won't be a big deal to do the update manually. Also, maybe it is wisest to do the update in a manual way, one by one, imagine you have an automated app working on the DB directly, if you accidentally run it twice you'll be in a world of trouble :)
Just compile and run...
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Security.Cryptography;
namespace PasswordHasher
{
class Program
{
static void Main(string[] args)
{
while (true) // Loop indefinitely
{
Console.WriteLine("Enter password to hash or type 'exit':"); // Prompt
string password = Console.ReadLine(); // Get string from user
if (password == "exit") // Check string
{
break;
}
else
{
HMACSHA1 hash = new HMACSHA1();
hash.Key = Encoding.Unicode.GetBytes(password);
string encodedPassword =
Convert.ToBase64String(hash.ComputeHash(Encoding.Unicode.GetBytes(password)));
Console.WriteLine(encodedPassword);
}
}
}
}
}
I had about 3000 users and 20 members from a version 3 of umbraco that I upgraded to version 6.1.6, so I wrote some code which I just called from a usercontrol that I put on a dashboard. I knew that I was converting to Hashed passwords. Obviously make sure to backup the database/users and members table before running because if this runs twice then they are all messed up (hashed twice). Also, make sure to update your web.config so that the password format is now Hashed instead of Clear for both users and members. Definitely remove the dll you dropped in to run the code as well as you don't want it ever running again.
public class ChangePasswordsService
{
public void ChangeAllMemberPasswords()
{
var allMembers = Member.GetAll;
foreach (var member in allMembers)
{
member.ChangePassword(EncodeHashPassword(member.Password));
member.Save();
}
}
public void ChangeAllUserPasswords()
{
var allUsers = User.getAll();
foreach (var user in allUsers)
{
user.Password = (EncodeHashPassword(user.GetPassword()));
user.Save();
}
}
private string EncodeHashPassword(string password)
{
string encodedPassword = password;
HMACSHA1 hash = new HMACSHA1();
hash.Key = Encoding.Unicode.GetBytes(password);
encodedPassword =
Convert.ToBase64String(hash.ComputeHash(Encoding.Unicode.GetBytes(password)));
return encodedPassword;
}
}
Changing passwords back to Hashed after upgrade
Hi everyone,
I've just completed an upgrade from 4.0.2.1 to 4.5.2 but I still have a question.
One of the steps to perform is to change the passwords from "Hashed" to "Clear" in web.config so you can actually log in. However, how do you change it back to "Hashed" and get all of your passwords hashed?
I presume you have to do this step so you can actually have the full upgraded version working as it is supposed to? Or is it optional to have passwords hashed or clear text?
Cheers,
Garry.
If you know the hash function used by Umbraco it is easy as pie to just hash the passwords that are stored plain text in the DB and replace them with the hashed version. Then change the config files and you're ready to go...
I belive this is the relevant code (Member.cs):
Which would imply that SHA1 is used for hashing. If that is the case it should be simple enough to write a small helper util that would read all values for the passwords, hash them and write them back to the DB.
Basically keep the code for the last case and run... I do not have sufficient time now but maybe someone else here could set you up?
Garry,
I'm bit surprised by your statement that you need to change passwords to upgrade from a v4.0.2.1 to a v4.5.2 umbraco instance. I've been doing 2 upgrades over the last week, and I don't do anything with changing the way passwords are stored.
So, if you could find that reference, I'd be glad to read a bit more about it.
Cheers,
/Dirk
Hi Dirk,
The passwords in my database were initially in clear text, however in version 4.5.2 the web.config has these passwords stored as "Hashed" - therefore after doing the upgrade I had to change the web.config back to "Clear" in order to log into the back end of Umbraco.
I was also following some steps on http://www.karlkopp.com/blog/2010/7/27/upgrading-umbraco-40x-to-45x if you look at step 7 you can see what I'm refering to.
Cheers,
Garry.
Ok, that makes sense, didn't know about this reference.
Cheers,
/Dirk
Hi Dirk,
Like Garry said... it seems the default setting in web.config changed from "Clear" to "Plain".
Of course, this can lead to surprises when upgrading. I also had an issue like that some days ago. Obviously, when these defaults change, users might ask themselves how to change over their own settings to this new default. I for one was faced with the fact that I saw the plain text passwords of my users in the DB when trying to solve an issue, knowing that many users will use the same passwords for different accounts this might create 'ethical' issues. A way to hash all passwords in the DB might therefore be useful.
Fair point Kris, and totally agree, and thanks for sharing that piece of code for others to enjoy.
Cheers,
/Dirk
Wrote a simple console app to generate the hashes. I only have 50 or so users so it won't be a big deal to do the update manually. Also, maybe it is wisest to do the update in a manual way, one by one, imagine you have an automated app working on the DB directly, if you accidentally run it twice you'll be in a world of trouble :)
Just compile and run...
using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Security.Cryptography; namespace PasswordHasher { class Program { static void Main(string[] args) { while (true) // Loop indefinitely { Console.WriteLine("Enter password to hash or type 'exit':"); // Prompt string password = Console.ReadLine(); // Get string from user if (password == "exit") // Check string { break; } else { HMACSHA1 hash = new HMACSHA1(); hash.Key = Encoding.Unicode.GetBytes(password); string encodedPassword = Convert.ToBase64String(hash.ComputeHash(Encoding.Unicode.GetBytes(password))); Console.WriteLine(encodedPassword); } } } } }I had about 3000 users and 20 members from a version 3 of umbraco that I upgraded to version 6.1.6, so I wrote some code which I just called from a usercontrol that I put on a dashboard. I knew that I was converting to Hashed passwords. Obviously make sure to backup the database/users and members table before running because if this runs twice then they are all messed up (hashed twice). Also, make sure to update your web.config so that the password format is now Hashed instead of Clear for both users and members. Definitely remove the dll you dropped in to run the code as well as you don't want it ever running again.
public class ChangePasswordsService { public void ChangeAllMemberPasswords() { var allMembers = Member.GetAll; foreach (var member in allMembers) { member.ChangePassword(EncodeHashPassword(member.Password)); member.Save(); } } public void ChangeAllUserPasswords() { var allUsers = User.getAll(); foreach (var user in allUsers) { user.Password = (EncodeHashPassword(user.GetPassword())); user.Save(); } } private string EncodeHashPassword(string password) { string encodedPassword = password; HMACSHA1 hash = new HMACSHA1(); hash.Key = Encoding.Unicode.GetBytes(password); encodedPassword = Convert.ToBase64String(hash.ComputeHash(Encoding.Unicode.GetBytes(password))); return encodedPassword; } }is working on a reply...